Is PCI Compliance a Must? Website PCI Compliance, a New Standard

PCI (Payment Card Industry) compliance used to be the concern of larger merchants known as Levels 1, 2 and 3. Level 3 applies to merchants with over 20,000 transactions per year, Level 2 is between 20,000 and 6,000,000 and Level 1 is for transactions totaling 6,000,000 or more. Small Level 4 merchants process less than 20,000 transactions.

For these larger firms, not validating PCI compliance exposed them to fines and indefinite suspension of their rights to process credit card transactions. However, beginning June 30, 2007, PCI compliance will change for Level 4 merchants. PCI compliance is a must for merchants who process less than 20,000 transactions per year too. In other words, Level 4 merchants will no longer be exempt from PCI compliance.

Industry insiders have noted that American Express has already began alerting Level 4 merchants about the need for compliance. The other credit card companies will probably follow suite shortly after.

What is the new PCI Security Standard?

The PCI Security Standards Council, LLC, Is a consortium of the major credit card companies, Visa, Mastercard, Discover, JCB and American Express. Before the Payment Card Industry (PCI) Data Security Standard was adopted, each credit card company had its own proprietary validation system. With the Payment Card Industry Data Security Standard, the Industry now has a globally accepted standard to secure payment account data and protect credit card holders and companies from fraud and data theft.

What Are The Basics of PCI Compliance and Validation Regulations?

The payment card industry compliance and validation regulations apply to financial institutions, Internet vendors and retail merchants. The rules spell out what security measures must be taken to protect the private information of employers and employees during any transaction occurring with the use of a paycard. They also require certain auditing procedures. The Payment Card Industry Data Security Standard is used by all card brands to assure the security of the data gathered while an employee is making a transaction at a bank or participating vendor.

The six categories of PCI security standards:

1. Build and maintain a secure network by having a firewall that will protect consumers' data and not use defaults provided by software vendors for system passwords.

2. Guard cardholder information by making sure all stored data is protected and by encrypting the transmission of that data on public networks.

3. Protect the network by having an anti-virus software program that is regularly updated and by developing and maintaining secure systems and applications.

4. Control access by only allowing access to the system on a need-to-know basis, having unique IDs for all employees who have access to the system and limiting employees' physical access to all cardholder data.

5. Test and monitor networks regularly by using a complete tracking and monitoring system to network systems and cardholders' data and by performing security tests on network systems.

Contained within the regulations of Visa and MasterCard are more than 200 sub-regulations that merchants must meet as part of the six categories listed above.

What does it all mean for the small business merchant?

Aside from in-house changes to processes and systems for handling data, many of the compliance issues will fall into the lap of the merchants hosting provider and must be monitored by a third party vendor. The idea is to prevent the fox from guarding the chicken coup.

Everybody knows the small business website owner has concerns over cost, overall value and customer service/support when it comes to achieving PCI compliance. Anything that costs more money can cut into profit margins. However, there is a silver lining to the new mandates.

Research studies have shown that a public that is wary about online purchases because of fraud and identity theft is more likely to transact business on websites that prominently display third party website security seals. Since you can't avoid the inevitable, it's a smart idea to find out who's the best PCI compliance vendor for your business.

devNIC recommends ControlScan as the small business owner's best overall value for a third party website security certification provider because they are an approved PCI compliance scanning vendor certified by the PCI Security Standards. They provide professional scanning, vulnerability, intrusion and security protection at a reasonable price and have a knowledgeable support staff to help customize integration for any website.